11-08-2011 01:01 PM - edited 03-11-2019 02:47 PM
Hi All,
I have a question to pros:
In terms of security and easier configuration which option is more preferrable:
using
"no sysopt connection permit-vpn" and apply inbound ACLs on outside interface
or using VPN filters?
I feel more secure when there is no sysopt connection permit-vpn statement in my ASA, so I can apply inbound ACLs on outside interface.
I am not planning to switch over to VPN filters, and want to hear your opinion.
I have a bunch of L2L tunnels and don;t have any access VPN.
Thanks!
11-09-2011 08:51 AM
bump
11-09-2011 09:01 AM
Only tried vpn-filter once and it didn't work properly, but that was a while ago. I think I was hitting a bug CSCse67035 and the configuration documentation wasn't very good on the subject at that time. Been running no sysopt conn permit-vpn ever since. In my opinion, if you are always going to restrict all of your vpn's there is no reason for vpn filters. If you have vpn's you don't restrict and others you do, then vpn filters may make more sense from a management standpoint.
07-25-2022 02:37 PM
@acomiskey did this bug some how get fixed? Or does this issue still occur?
07-25-2022 08:28 PM
@rfeero please note you are replying to a thread that was last updated almost 11 years ago.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide